How to deploy Forefront Endpoint Protection 2012 beta on SCCM 2012 beta
This blogpost is a full installation walkthrough and documentation guideline on how Forefront Endpoint Protection 2012 beta is installed (I did this today at one of our customers)
One of the main assumptions for the implementation of FEP 2012 beta, is having the availability of a fully operational System Center Configuration Manager 2012 platform, which was the case. (Thanks to my colleague Steve for this !!)
The following topics are documented:
· Installation walkthrough of the FEP 2012 beta server components
· Overview of FEP components within SCCM 2012 console
· Update OSD Task Sequence for FEP 2012 client deployment
· Walkthrough of a manual deployment of the FEP 2012 client
· Monitoring FEP 2012
Installation walkthrough of the FEP 2012 beta server components
· Start the FEPInstall from the installation medium
· If you choose here for Basic Topology, the FEP 2012 component will take all current settings from the running SCCM 2012 platform (file locations, SQL database, SQL reporting services, service account settings,…)
· Enter the Password for the SCCM 2012 service account
· Here we choose Use Microsoft Update…; this guarantees that the FEP 2012 client antivirus / antimalware signatures are automatically updated by using Microsoft Update. There is an automatic fallback scenario where the update engine can perform a direct update as well, if WSUS engine should be down.
· By selecting Basic SpyNet membership, the FEP 2012 application will send regular information to Microsoft regarding virusses and malware it detects on the network. The feature “Advanced SpyNet” has about the same functionality, but it also gives feedback to the end-users in the FEP client console, which is normally something we don’t want to bother our users with.
· As the installation prerequisite check is finished succesfully, we force the setup to automatically open the SCCM console
Overview of FEP components within SCCM 2012 console
After we installed the FEP 2012 server components in the previous step, this chapter gives a basic overview of the default FEP 2012 beta topics in the SCCM 2012 beta console.
The following SCCM options are available in Software Library console:
– Software Library / Overview / Application Management / Packages /
o FEP Deployment
o FEP Operations
o FEP Policies
The following SCCM options are available in Monitoring console:
– Monitoring / Overview / FEP Status
– Monitoring / Reportings / Reports
o FEP information for a specific computer
The following SCCM options are available in Assets & Compliance console:
– Overview / FEP Policies
o Default desktop policy
o Default server policy
– Overview / Compliance Settings / Configuration Items
o FEP … (several collections available)
– Overview / Device Collections / FEP Collections
o FEP … (several collections available)
Update OSD Task Sequence for FEP 2012 client deployment
As a lot of FEP specific parameters and settings have already been preconfigured within SCCM 2012 beta, we can immediately make use of those settings to start deployment of the FEP 2012 beta client to our environment.
In this first example, we update an existing OSD task sequence to install FEP 2012 beta client at the end of the OS deployment.
· Go to Software Library / Overview / Operating Systems / Task Sequence
· In our example, there was already a task sequence for deploying a Win7 client with some applications. For “safety reasons”, we first copy this task sequence to a new, which will be updated afterwards with FEP 2012 deployment.
· Select the new Task Sequence, right click / Edit
· Pick Add / General / Install Package
· Name : FEP 2012 beta client
· Description : This package installs the FEP 2012 beta client software
· Package : Click Browse / select “Microsoft Corporation FEP – Deployment 1.0” from the list off available packages
· Program: select “install” in the listbox
· Drag / Drop the new package at the end of the “install applications” list; this will install the package as the last component within the task sequence (just an example, not a requirement)
Walkthrough of a manual deployment of the FEP 2012 client
In the previous chapter, we explained how to update an OSD task sequence to install FEP 2012 beta as part of the overall OS deployment.
In this chapter, we talk about how to “manually” deploy the FEP 2012 beta client package to a set of computers.
· Go to the FEP 2012 beta deployment package (Software Library / Overview / Application Management / Packages / FEP – Deployment)
· Rightclick the package + choose Deploy from the context menu
· Software: Browse / Pick “Install”
· Collection : Browse / Any collection of machines to which you want to deploy FEP 2012; in this example, we pick the collection “ All desktop and server clients”
· Distribution Point: <your SCCM distribution point>
· Purpose : Required – means the package needs to be installed automatically
· Priority : Normal / High
· If your clients, network and SCCM Site settings support wake-on-lan, mark the option “send wake-up packets” to make sure all active and standby clients receive the package
· Define an assigment schedule when you want FEP to be deployed
· Choose “Download content…”; this will copy the installation files to the client machine first, and start deployment afterwards. This is the suggested setting for software deployment over LAN.
· Once this wizard is completed, a deployment task is scheduled for the specific collection. Once the SCCM Agent receives notification for installation, the FEP 2012 beta client will be installed on the clients.
· After a few minutes, by going to Monitoring / FEP Status, we can see 1 computer has FEP installed, and 2 other installations are pending
We are now at the status where FEP 2012 beta package can be deployed from within an OS Deployment task sequence, or by using a manual deployment to a specific computer collection.
Monitoring FEP 2012
On the last screen of the previous chapter, we get a graphical overview of FEP 2012 beta deployment Statistics. When clicking on the “1 computer has FEP deployed” link, it will bring you automatically to a newly created collection (automatically done by FEP) “Computers that succeeded FEP Deployment”.
This is a group of assets that have FEP client 2012 installed.
· Other Device viewing collections are also created automatically by FEP:
o Computers not targeted by FEP (will never get FEP client installed)
o Computers with out of date FEP Versions (have FEP installed, but is out of date)
o Computers Pending FEP Deployment (deploy is scheduled, but not started/finished yet)
· On any of the above mentioned FEP Device Collections, we have a new topic available “FEP OPERATIONS” (in the menu ribbon or by rightclicking on the collection / FEP Operations from the context menu)
· This has the following possibilities:
o Run Antimalware Definition updates (=update the virus engine)
o Run Quickscan
o Run Full scan
Configuring FEP Alerts
One could continuously check the different FEP monitoring components or collections within SCCM 2012 console. However, it is more efficient to configure alerts to warn the administrators / helpdesk users of any necessary information on FEP installations on our clients & servers.
· Go to Assets & Compliance
· From within the Ribbon, 2 additional FEP configurations are possible
o FEP email settings
o FEP Alerts
· FEP Email Settings:
ð Allow to configure SMTP server settings + notification email address
· FEP Alerts:
o Configure to which email addresses FEP alerts should be sent to, on specific malware detection occurance
That’s it folks !
Cheers,
/Peter